I am working on the code signing aspect of InstallBuilder. Initially I am using signtool for Windows but will also need to sign Mac & Linux .exe & .jar files. I can sign my main install file that I build with InstallBuilder (aka setup.exe). I have read about the postBuildActionList concept, so I can run signtool from there.
I just want to make sure that if I want a customer's final application executable to be signed (MyApp.exe), then I cannot sign it until they have run the setup.exe on their system. Therefore, I need to include a .pfx certificate file as part of the build? And I should probably include the signtool.exe so a customer does not have to install Microsoft SDK themselves? Not sure if signtool.exe depends on other .dlls that would also need to be present.
The .pfx file is password protected so seems like it's OK to distribute it. Can I define it (and signtool.exe) as a hidden file in the customer's install directory so they will not see it?
Please let me know if I am missing something here. I do not see a place when running InstallBuilder where I can sign the MyApp.exe file while building the install package.
asked 23 Aug '13, 12:39
The binaries you are installing (i.e. MyApp.exe) should be signed before building the installer, not at customer site.
The best way to do this is to have the build process of the application also sign it - i.e. if it automated using Makefile, Maven, Ant/NAnt or other build tool, there should be another step to run signtool to sign the DLLs/EXEs.
Similarly for Mac OS X binaries/bundles, the signing should be done at build time (and has to be done on an OS X machine). The process is documented here:
As for signing .jar files, the process is slightly different and is documented here:
Alternatively, same commands can be run to sign the binaries before building the installer in
answered 23 Aug '13, 17:04